Review of NIST 800-171

Review of NIST 800-171

NIST 800-171—All You Need to Know

In this day and age, information is king. This means that data handling and recordkeeping are critical processes that help businesses build and maintain the trust and confidence of their vendors, contractors, partners, and customers. Of course, when the federal government gets involved in any way, cybersecurity for the protection of business, personal and government information becomes paramount.

Human error and the presence of cyber threats pose risks to data integrity and security. So, in order to help protect Controlled Unclassified Information (CUI), Special Publication 800-171 was created by the National Institute of Standards and Technology (NIST).

However, before diving deep into NIST 800-171, we need to clarify what Controlled Unclassified Information is. In simple terms, CUI is data that is uncategorized and not strictly regulated by the federal government, yet is considered sensitive and of interest to the United States.

The Executive Agent tasked to create and implement standards for unclassified data and oversee agency compliance is the National Archives and Records Administration. In their view, since CUI is potentially sensitive and unclassified, specific measures need to be in place and implemented to ensure it is properly safeguarded.

All agencies are required to create their public registry for CUI categories and subcategories, as well as defining why such specific data is considered CUI. A good example is the “financial” category, which can include further subcategories such as budgets, bank secrecy, mergers, etc. As indicated by the category name, all items contained within should relate to U.S. fiscal functions and financial institutions.

All about NIST 800-171

The National Institute of Standards and Technology Special Publication 800-171 or NIST 800-171 governs CUI in Non-Federal Information Systems and Organizations. It covers a set of standards that spell out ways to safeguard and disseminate CUI.

The NIST 800-171 came into being after the 2003 passing of the Federal Information Security Management Act (FISMA), which resulted in a number of security standards and guidelines. With the number of cyber threats increasing and after several documented data breaches in the last few years, the NIST SP 800-171 is designed to improve cybersecurity. In fact, because of such cyberattacks such as the ones on the U.S. Postal Service (USPS) and the National Oceanic and Atmospheric Administration (NOAA), the NIST guidelines have already undergone revisions several times.

The primary purpose behind the creation of NIST 800-171 is to ensure unclassified information remains protected and intact, even when it isn’t part of federal information systems and organizations. The NIST 800-171 contains security regulations in 14 different categories with 110 required controls, including:

  • Configuration management
  • Awareness training
  • Identification and authentication
  • Security assessment
  • Audit and accountability
  • System and communications protection
  • Physical protection
  • Media protection
  • Incident response
  • Access control
  • Maintenance
  • System and information integrity
  • Personnel security
  • Risk assessment

These regulations and categories are designed to organize and protect CUI not intended for public consumption.

Specific government agencies such as the National Aeronautics and Space Administration (NASA) General Services Administration (GSA), and Department of Defense (DoD) have a revised set of rules for NIST compliance, which took effect on December 31, 2017. It required anyone working with CUI from these agencies to apply specific data handling measures and report non-compliance to the agency chief information officer (CIO).

Federal regulations, such as the DFARS clause 252.204-7012 state that all affected companies and agencies need to evaluate and document their compliance when it comes to handling this type of information in more than a dozen areas. This includes their network configuration, media protection, and how employees gain access to the NIST 800-171 standard.

In effect, the NIST 800-171 has helped standardize the rules for data handling, safeguarding, and disposal of material.Before NIST 800-171 came into being, each agency had its own unique set of rules, and such inconsistencies posed potential security risks when information needed to be shared with multiple contractors. This is why you need to strictly adhere to NIST 800-171 if you are an entity that handles CUI.

If you have questions about NIST 800-171, or if you require guidance regarding compliance, please get in touch.

Interactive Security, Inc. has been at the forefront of providing industry leading expert information technology security services to clients across the globe – focused on IT Security Auditing & Compliance.


Vulnerability / Penetration Assessments ~ Application Security ~ PCI DSS ~ HIPAA ~ HiTRUST ~ ISO 27001 ~ FEDRAMP ~ FISMA/NIST ~ GDPR ~ Privacy Shield

Emory Vandiver

Emory Vandiver is the Vice President of Business Operations and a Partner at Interactive Security, where he is responsible for executing the company's strategy as a premier IT Security and Compliance provider. For over 20 years Emory has worked for leading enterprises across a diverse cross section of the information technology industry. His professional passion lies in understanding client business goals, challenging the status quo and leveraging technology-based solutions to maximize client performance. He strives to bring unique insight and value to his clients' businesses, along with a superior customer experience.